feat(aws): New workflow for deploying to AWS (#599)

projectNEWM · May 12, 2024 · 6db4684 · 6db4684
1 parent 090a0ec
commit 6db4684
Show file tree

Hide file tree

Showing 15 changed files with 4,552 additions and 19 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,10 @@
+# .dockerignore
+node_modules
+.github
+.git
+.nx
+.env*
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
diff --git a/.github/workflows/aws-hosting-pull-request-newm-marketplace.yml b/.github/workflows/aws-hosting-pull-request-newm-marketplace.yml
@@ -0,0 +1,58 @@
+name: Deploy NEWM Marketplace to AWS Hosting on PR
+on:
+  pull_request:
+    paths:
+      - .github/workflows/aws-hosting-pull-request-newm-marketplace.yml
+      - apps/marketplace/**
+      - packages/**
+jobs:
+  build_and_preview:
+    if: "${{ github.event.pull_request.head.repo.full_name == github.repository }}"
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # required to interact with GitHub's OIDC Token endpoint.
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v3
+      - run: npm install
+      - run: npx nx build marketplace
+        env:
+          NEXT_PUBLIC_APPLE_CLIENT_ID: ${{ secrets.APPLE_CLIENT_ID }}
+          NEXT_PUBLIC_GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
+          NEXT_PUBLIC_GA_STUDIO_ID: ${{ secrets.GA_STUDIO_ID }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          NEXT_PUBLIC_ENV: staging
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_GITHUB_DEPLOY_ROLE_ARN_GARAGE }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Lambda-ify
+        run: echo "COPY --from=public.ecr.aws/awsguru/aws-lambda-adapter:0.7.1 /lambda-adapter /opt/extensions/lambda-adapter" >> apps/marketplace/Dockerfile
+
+      - name: Install AWS CDK
+        run: npm install -g aws-cdk
+
+      - name: Set outputs
+        id: vars
+        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+
+      - name: Deploy to Lambda Function
+        run: |
+          npm install --prefix .github/workflows/cdk
+          APPNAME=marketplace QUALIFIER=${{ github.event.pull_request.number }} npm run --prefix .github/workflows/cdk cdk deploy -- --require-approval never
+
+      - name: Get preview url
+        id: previewurl
+        run: echo "previewurl=$(aws cloudformation describe-stacks --stack-name marketplace-${{ github.event.pull_request.number }} --query 'Stacks[0].Outputs[0].OutputValue' --output text)" >> $GITHUB_OUTPUT
+
+      - name: Url to PR comment
+        uses: mshick/add-pr-comment@v2
+        with:
+          message: |
+            Visit the preview URL for this PR (updated for commit ${{ steps.vars.outputs.sha_short }}):
+            :rocket: ${{ steps.previewurl.outputs.previewurl }}
+          allow-repeats: true
diff --git a/.github/workflows/aws-hosting-pull-request-newm-studio.yml b/.github/workflows/aws-hosting-pull-request-newm-studio.yml
@@ -0,0 +1,32 @@
+name: Deploy NEWM Studio to AWS Hosting on PR
+on:
+  pull_request:
+    paths:
+      - .github/workflows/aws-hosting-pull-request-newm-studio.yml
+      - apps/studio/**
+      - packages/**
+jobs:
+  build_and_preview:
+    if: "${{ github.event.pull_request.head.repo.full_name == github.repository }}"
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # required to interact with GitHub's OIDC Token endpoint.
+      contents: read
+    steps:
+      - uses: actions/checkout@v3
+      - run: npm install
+      - run: npx nx build studio
+        env:
+          VITE_APPLE_CLIENT_ID: ${{ secrets.APPLE_CLIENT_ID }}
+          VITE_GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
+          VITE_GA_STUDIO_ID: ${{ secrets.GA_STUDIO_ID }}
+          VITE_RECAPTCHA_SITE_KEY_STAGING: ${{ secrets.RECAPTCHA_SITE_KEY_STAGING }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          VITE_ENV: staging
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_GITHUB_DEPLOY_ROLE_ARN_GARAGE }}
+          aws-region: ${{ secrets.AWS_REGION }}
+      - name: Deploy to S3
+        run: aws --region ${{ secrets.AWS_REGION }} s3 sync ./dist/apps/studio s3://${{ secrets.AWS_PREVIEW_BUCKET }}/${{ github.event.pull_request.number }} --no-progress --delete
diff --git a/.github/workflows/cdk/.npmignore b/.github/workflows/cdk/.npmignore
@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
diff --git a/.github/workflows/cdk/bin/app.ts b/.github/workflows/cdk/bin/app.ts
@@ -0,0 +1,43 @@
+#!/usr/bin/env node
+import "source-map-support/register";
+import * as cdk from "aws-cdk-lib";
+import * as lambda from "aws-cdk-lib/aws-lambda";
+import { Construct } from "constructs";
+import * as path from "path";
+
+const appName = process.env.APPNAME || "APPNAME";
+const qualifier = process.env.QUALIFIER || "UNDEFINED";
+const rootDir = path.resolve(__dirname, "..", "..", "..", "..");
+
+class WebPreviewStack extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    const previewFunction = new lambda.DockerImageFunction(
+      this,
+      "PreviewFunction",
+      {
+        code: lambda.DockerImageCode.fromImageAsset(rootDir, {
+          file: path.join("apps", appName, "Dockerfile"),
+        }),
+        memorySize: 1024,
+      }
+    );
+    const lambdaFuncUrl = previewFunction.addFunctionUrl({
+      authType: lambda.FunctionUrlAuthType.NONE,
+    });
+    new cdk.CfnOutput(this, "CfnOutputFunctionUrl", {
+      key: `${appName}${qualifier}FunctionUrl`,
+      value: lambdaFuncUrl.url,
+    });
+  }
+}
+
+const app = new cdk.App();
+new WebPreviewStack(app, "WebPreviewStack", {
+  stackName: `${appName}-${qualifier}`,
+  env: {
+    account: process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_DEFAULT_REGION,
+  },
+});
diff --git a/.github/workflows/cdk/cdk.json b/.github/workflows/cdk/cdk.json
@@ -0,0 +1,70 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/app.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true
+  }
+}